Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Leviathan

🌐Leviathan

🌐 Leviathan is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 50 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0065) ↗
14Use cases
0Articles
50Techniques
0IOCs

About this actor (MITRE)

[Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, [Leviathan](https://attack.mitre.org/groups/G0065) has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast

Known aliases

LeviathanMUDCARPKryptonite PandaGadoliniumBRONZE MOHAWKTEMP.JumperAPT40TEMP.PeriscopeGingham Typhoon

Top techniques

T1003 · OS Credential DumpingT1003.001 · LSASS MemoryT1021.001 · Remote Desktop Protocol

All other tracked techniques

T1021.004 · SSHT1027.001 · Binary PaddingT1027.003 · SteganographyT1027.013 · Encrypted/Encoded FileT1027.015 · CompressionT1041 · Exfiltration Over C2 ChannelT1047 · Windows Management InstrumentationT1055.001 · Dynamic-link Library InjectionT1059.001 · PowerShellT1059.005 · Visual BasicT1074.001 · Local Data StagingT1074.002 · Remote Data StagingT1078 · Valid AccountsT1090.003 · Multi-hop ProxyT1102.003 · One-Way CommunicationT1105 · Ingress Tool TransferT1133 · External Remote ServicesT1140 · Deobfuscate/Decode Files or InformationT1189 · Drive-by CompromiseT1190 · Exploit Public-Facing ApplicationT1197 · BITS JobsT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1218.010 · Regsvr32T1505.003 · Web ShellT1534 · Internal SpearphishingT1546.003 · Windows Management Instrumentation Event SubscriptionT1547.001 · Registry Run Keys / Startup FolderT1547.009 · Shortcut ModificationT1553.002 · Code SigningT1559.002 · Dynamic Data ExchangeT1560 · Archive Collected DataT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1567.002 · Exfiltration to Cloud StorageT1572 · Protocol TunnelingT1583.001 · DomainsT1584.004 · ServerT1584.008 · Network DevicesT1585.001 · Social Media AccountsT1585.002 · Email AccountsT1586.001 · Social Media AccountsT1586.002 · Email AccountsT1587.004 · ExploitsT1589.001 · CredentialsT1595.002 · Vulnerability Scanning

Detection use cases (14)

APT40 (Leviathan/MUDCARP) web-shell follow-on recon from IIS/Exchange/Tomcat worker processes AI · profile SΣ APT40 LSASS credential theft via ProcDump / comsvcs.dll MiniDump after edge-appliance compromise AI · profile SΣ 1Password activity from Tor exit node MITRE match 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match